With the holiday's here and a bit more quiet time, I've had the time to start looking into things I've had on my list to look at for quite a while. First up, I wanted to look at the state of password manager applications and see which (if any) would meet my needs and replace simple gpg encrypted files.
After a quick look around, I settled on keepassx. Read on for a quick review and features list.
In the past, I have used gpg encrypted files or the like for storing passwords. This turns out to have some nice advantages: You can encrypt for multiple people/keys, it's easy to setup vim or the like to decrypt the file, let you use it and then drop it when you no longer need it, and most of all, it's just simple. I wanted to make sure anything I replaced this with was also simple and easy.
Keepassx is a simple GUI password manager without all that many dependencies. There is also a android app called KeePassDroid that lets you read and use the same db. This is handy for being able to carry around your db on your phone, but still have it encrypted.
I found the interface pretty simple and easy to use. Just 'yum install keepassx' and open a new db. You will need to choose a master password for the database. Sadly, you can't have multiple master keys, so this is not going to replace gpg for some things that I share with other folks, but it will work for many of my other passwords. You can also, in addition to or instead of a master db password, select or generate a key file. This would allow you to setup the db to work with a key file stored on USB or the like.
The database can be encrypted with AES-256 or Twofish-256. You will want to use AES-256 if you are going to share with the android app, as that can't currently read the Twofish-256 version. Additionally, the db password is never kept unencrypted in memory.
You can setup groups and subgroups. Each password can have optionally a username, password, url, a comment, an attachment, an expire date. If you have a URL, you can make it go to that URL with a shortcut while you have that password selected. You can copy the username/pass to your clipboard, and finally, you can use something the application calls: "autotype". It allows you to setup a specific window title to match on, and when you hit the shortcut for autotype with that window in focus it will send a tab/username/tab/password/return. (You can customize what it sends as well). This is handy for web pages or web applications, although some do things in such a way that this won't work (for example, bugzilla requires you to hit the login button before it shows the username/pass fields).
A few downsides: The GUI does seem to be somewhat clicky. (Ie, you can't easily just use a keyboard for everything in it). I wish it had ability for multiple master passwords, and then it might be useful for group shared db's, although you could just have everyone know the master password and share a key file with them as well.
Upstream, the project is currently undergoing a re-write to allow it to use the second generation database format and clean up things. I'm sure assistance would be welcome there. In the mean time the current version seems quite functional.
Overall I think I will try and use this for many of my passwords for a while. Being able to share them with my phone is a nice plus and the automation of autotype is pretty handy on the laptop.comments powered by Disqus